First, make signing up computationally expensive. Some javascript that would have to run client side, like a crypto miner or something, and deliver proof to the server that some significant amount of CPU power was used.
Second, some type of CAPTCHA. ReCaptcha with the settings turned up a bit is a good way to go.
Third, IP address reputation checks. Check IP addresses for known spam servers, it’s the same thing email servers do. There’s realtime blacklists you can query against. If the client IP is on them, don’t allow registration but only allow application to register.
make signing up computationally expensive. Some javascript that would have to run client side, like a crypto miner or something, and deliver proof to the server that some significant amount of CPU power was used.
Haha, I like this one! Had to strike a balance between ‘make it annoying enough to deter bots’ and ‘make it accessible enough to allow humans’. Might be hard, because people have vastly different hardware.
Personally, I probably would be fine waiting for 1s, maybe up to 5s. Not sure if that is enough to keep the bots out. As far as I understand, they would still try (and succeed), just be fewer because signup takes more time.
I also like the side-effect of micro-supporting the instance you join with a one time fee. I expect haters to hate this quite a lot though.
I’d do a few things.
First, make signing up computationally expensive. Some javascript that would have to run client side, like a crypto miner or something, and deliver proof to the server that some significant amount of CPU power was used.
Second, some type of CAPTCHA. ReCaptcha with the settings turned up a bit is a good way to go.
Third, IP address reputation checks. Check IP addresses for known spam servers, it’s the same thing email servers do. There’s realtime blacklists you can query against. If the client IP is on them, don’t allow registration but only allow application to register.
Haha, I like this one! Had to strike a balance between ‘make it annoying enough to deter bots’ and ‘make it accessible enough to allow humans’. Might be hard, because people have vastly different hardware. Personally, I probably would be fine waiting for 1s, maybe up to 5s. Not sure if that is enough to keep the bots out. As far as I understand, they would still try (and succeed), just be fewer because signup takes more time.
I also like the side-effect of micro-supporting the instance you join with a one time fee. I expect haters to hate this quite a lot though.
The mCaptcha system Lemmy devs are/were working on integrating on the next version is based on this approach afaik.
It doesn’t use any crypto but it does do “wasteful” proof-of-work calculations of some kind.